Add dynamic Node version and improve SAML SSO error handling

Dockerfiles and GitHub Actions workflow now use a dynamic Node.js version via build args, reading from .nvmrc for consistency. SAML SSO controller adds workspace ID validation, improved error handling, and clearer error responses for SSO initiation and ACS callback. Also documents REDIS_URL in environment types.

Author: neSpecc

.github/workflows/build-and-push-docker-image.yml

@@ -48,11 +48,19 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
+      - name: Read Node.js version from .nvmrc
+        id: node_version
+        run: |
+          NODE_VERSION=$(cat api/.nvmrc | tr -d 'v')
+          echo "version=${NODE_VERSION}" >> $GITHUB_OUTPUT
+
       - name: Build and push image
         uses: docker/build-push-action@v3
         with:
-          context: .
-          file: docker/Dockerfile.prod
+          context: ./api
+          file: ./api/docker/Dockerfile.prod
+          build-args: |
+            NODE_VERSION=${{ steps.node_version.outputs.version }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: ${{ github.ref == 'refs/heads/stage' || github.ref == 'refs/heads/prod' || startsWith(github.ref, 'refs/tags/v') }}

docker/Dockerfile.dev

@@ -1,4 +1,5 @@
-FROM node:22-alpine as builder
+ARG NODE_VERSION=24.11.1
+FROM node:${NODE_VERSION}-alpine as builder
 
 WORKDIR /usr/src/app
 RUN apk add --no-cache git gcc g++ python3 make musl-dev
@@ -7,7 +8,7 @@ COPY package.json yarn.lock ./
 
 RUN yarn install
 
-FROM node:22-alpine
+FROM node:${NODE_VERSION}-alpine
 
 WORKDIR /usr/src/app
 

docker/Dockerfile.prod

@@ -1,4 +1,5 @@
-FROM node:22-alpine as builder
+ARG NODE_VERSION=24.11.1
+FROM node:${NODE_VERSION}-alpine as builder
 
 WORKDIR /usr/src/app
 RUN apk add --no-cache git gcc g++ python3 make musl-dev
@@ -11,7 +12,7 @@ COPY . .
 
 RUN yarn build
 
-FROM node:22-alpine
+FROM node:${NODE_VERSION}-alpine
 
 WORKDIR /usr/src/app
 

src/sso/saml/controller.ts

@@ -1,5 +1,6 @@
 import express from 'express';
 import { v4 as uuid } from 'uuid';
+import { ObjectId } from 'mongodb';
 import SamlService from './service';
 import samlStore from './store';
 import { ContextFactories } from '../../types/graphql';
@@ -26,6 +27,16 @@ export default class SamlController {
     this.factories = factories;
   }
 
+  /**
+   * Validate workspace ID format
+   *
+   * @param workspaceId - workspace ID to validate
+   * @returns true if valid, false otherwise
+   */
+  private isValidWorkspaceId(workspaceId: string): boolean {
+    return ObjectId.isValid(workspaceId);
+  }
+
   /**
    * Compose Assertion Consumer Service URL for workspace
    *
@@ -41,147 +52,199 @@ export default class SamlController {
    * Initiate SSO login (GET /auth/sso/saml/:workspaceId)
    */
   public async initiateLogin(req: express.Request, res: express.Response): Promise<void> {
-    const { workspaceId } = req.params;
-    const returnUrl = (req.query.returnUrl as string) || `/workspace/${workspaceId}`;
+    try {
+      const { workspaceId } = req.params;
+      const returnUrl = (req.query.returnUrl as string) || `/workspace/${workspaceId}`;
 
-    /**
-     * 1. Check if workspace has SSO enabled
-     */
-    const workspace = await this.factories.workspacesFactory.findById(workspaceId);
+      /**
+       * Validate workspace ID format
+       */
+      if (!this.isValidWorkspaceId(workspaceId)) {
+        res.status(400).json({ error: 'Invalid workspace ID' });
+        return;
+      }
 
-    if (!workspace || !workspace.sso?.enabled) {
-      res.status(400).json({ error: 'SSO is not enabled for this workspace' });
-      return;
-    }
+      /**
+       * 1. Check if workspace has SSO enabled
+       */
+      const workspace = await this.factories.workspacesFactory.findById(workspaceId);
 
-    /**
-     * 2. Compose Assertion Consumer Service URL
-     */
-    const acsUrl = this.getAcsUrl(workspaceId);
-    const relayStateId = uuid();
+      if (!workspace || !workspace.sso?.enabled) {
+        res.status(400).json({ error: 'SSO is not enabled for this workspace' });
+        return;
+      }
 
-    /**
-     * 3. Save RelayState to temporary storage
-     */
-    samlStore.saveRelayState(relayStateId, { returnUrl, workspaceId });
+      /**
+       * 2. Compose Assertion Consumer Service URL
+       */
+      const acsUrl = this.getAcsUrl(workspaceId);
+      const relayStateId = uuid();
 
-    /**
-     * 4. Generate AuthnRequest
-     */
-    const { requestId, encodedRequest } = await this.samlService.generateAuthnRequest(
-      workspaceId,
-      acsUrl,
-      relayStateId,
-      workspace.sso.saml
-    );
+      /**
+       * 3. Save RelayState to temporary storage
+       */
+      samlStore.saveRelayState(relayStateId, { returnUrl, workspaceId });
 
-    /**
-     * 5. Save AuthnRequest ID for InResponseTo validation
-     */
-    samlStore.saveAuthnRequest(requestId, workspaceId);
+      /**
+       * 4. Generate AuthnRequest
+       */
+      const { requestId, encodedRequest } = await this.samlService.generateAuthnRequest(
+        workspaceId,
+        acsUrl,
+        relayStateId,
+        workspace.sso.saml
+      );
 
-    /**
-     * 6. Redirect to IdP
-     */
-    const redirectUrl = new URL(workspace.sso.saml.ssoUrl);
-    redirectUrl.searchParams.set('SAMLRequest', encodedRequest);
-    redirectUrl.searchParams.set('RelayState', relayStateId);
+      /**
+       * 5. Save AuthnRequest ID for InResponseTo validation
+       */
+      samlStore.saveAuthnRequest(requestId, workspaceId);
+
+      /**
+       * 6. Redirect to IdP
+       */
+      const redirectUrl = new URL(workspace.sso.saml.ssoUrl);
+      redirectUrl.searchParams.set('SAMLRequest', encodedRequest);
+      redirectUrl.searchParams.set('RelayState', relayStateId);
 
-    res.redirect(redirectUrl.toString());
+      res.redirect(redirectUrl.toString());
+    } catch (error) {
+      console.error('SSO initiation error:', {
+        workspaceId: req.params.workspaceId,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      });
+      res.status(500).json({ error: 'Failed to initiate SSO login' });
+    }
   }
 
   /**
    * Handle ACS callback (POST /auth/sso/saml/:workspaceId/acs)
    */
   public async handleAcs(req: express.Request, res: express.Response): Promise<void> {
-    const { workspaceId } = req.params;
-    const samlResponse = req.body.SAMLResponse as string;
-    const relayStateId = req.body.RelayState as string;
-
-    /**
-     * 1. Get workspace SSO configuration and check if SSO is enabled
-     */
-    const workspace = await this.factories.workspacesFactory.findById(workspaceId);
-
-    if (!workspace || !workspace.sso?.enabled) {
-      res.status(400).json({ error: 'SSO is not enabled' });
-      return;
-    }
+    try {
+      const { workspaceId } = req.params;
+      const samlResponse = req.body.SAMLResponse as string;
+      const relayStateId = req.body.RelayState as string;
 
-    /**
-     * 2. Validate and parse SAML Response
-     */
-    const acsUrl = this.getAcsUrl(workspaceId);
+      /**
+       * Validate workspace ID format
+       */
+      if (!this.isValidWorkspaceId(workspaceId)) {
+        res.status(400).json({ error: 'Invalid workspace ID' });
+        return;
+      }
 
-    let samlData: SamlResponseData;
+      /**
+       * Validate required SAML response
+       */
+      if (!samlResponse) {
+        res.status(400).json({ error: 'SAML response is required' });
+        return;
+      }
 
-    try {
       /**
-       * Validate and parse SAML Response
-       * Note: InResponseTo validation is done separately after parsing
+       * 1. Get workspace SSO configuration and check if SSO is enabled
        */
-      samlData = await this.samlService.validateAndParseResponse(
-        samlResponse,
-        workspaceId,
-        acsUrl,
-        workspace.sso.saml
-      );
+      const workspace = await this.factories.workspacesFactory.findById(workspaceId);
+
+      if (!workspace || !workspace.sso?.enabled) {
+        res.status(400).json({ error: 'SSO is not enabled for this workspace' });
+        return;
+      }
 
       /**
-       * Validate InResponseTo against stored AuthnRequest
+       * 2. Validate and parse SAML Response
        */
-      if (samlData.inResponseTo) {
-        const isValidRequest = samlStore.validateAndConsumeAuthnRequest(
-          samlData.inResponseTo,
-          workspaceId
+      const acsUrl = this.getAcsUrl(workspaceId);
+
+      let samlData: SamlResponseData;
+
+      try {
+        /**
+         * Validate and parse SAML Response
+         * Note: InResponseTo validation is done separately after parsing
+         */
+        samlData = await this.samlService.validateAndParseResponse(
+          samlResponse,
+          workspaceId,
+          acsUrl,
+          workspace.sso.saml
         );
 
-        if (!isValidRequest) {
-          res.status(400).json({ error: 'Invalid SAML response: InResponseTo validation failed' });
-          return;
+        /**
+         * Validate InResponseTo against stored AuthnRequest
+         */
+        if (samlData.inResponseTo) {
+          const isValidRequest = samlStore.validateAndConsumeAuthnRequest(
+            samlData.inResponseTo,
+            workspaceId
+          );
+
+          if (!isValidRequest) {
+            res.status(400).json({ error: 'Invalid SAML response: InResponseTo validation failed' });
+            return;
+          }
         }
+      } catch (error) {
+        console.error('SAML validation error:', {
+          workspaceId,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        });
+        res.status(400).json({ error: 'Invalid SAML response' });
+        return;
       }
-    } catch (error) {
-      console.error('SAML validation error:', {
-        workspaceId,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      });
-      res.status(400).json({ error: 'Invalid SAML response' });
-      return;
-    }
 
-    /**
-     * 3. Find or create user
-     */
-    let user = await this.factories.usersFactory.findBySamlIdentity(workspaceId, samlData.nameId);
+      /**
+       * 3. Find or create user
+       */
+      let user = await this.factories.usersFactory.findBySamlIdentity(workspaceId, samlData.nameId);
+
+      if (!user) {
+        /**
+         * JIT provisioning or invite-only policy
+         */
+        user = await this.handleUserProvisioning(workspaceId, samlData, workspace);
+      }
 
-    if (!user) {
       /**
-       * JIT provisioning or invite-only policy
+       * 4. Get RelayState for return URL (before consuming)
+       * Note: RelayState is consumed after first use, so we need to get it before validation
        */
-      user = await this.handleUserProvisioning(workspaceId, samlData, workspace);
-    }
+      const relayState = samlStore.getRelayState(relayStateId);
+      const finalReturnUrl = relayState?.returnUrl || `/workspace/${workspaceId}`;
 
-    /**
-     * 4. Get RelayState for return URL (before consuming)
-     * Note: RelayState is consumed after first use, so we need to get it before validation
-     */
-    const relayState = samlStore.getRelayState(relayStateId);
-    const finalReturnUrl = relayState?.returnUrl || `/workspace/${workspaceId}`;
+      /**
+       * 5. Create Hawk session
+       */
+      const tokens = await user.generateTokensPair();
 
-    /**
-     * 5. Create Hawk session
-     */
-    const tokens = await user.generateTokensPair();
+      /**
+       * 6. Redirect to Garage with tokens
+       */
+      const frontendUrl = new URL(finalReturnUrl, process.env.GARAGE_URL || 'http://localhost:3000');
+      frontendUrl.searchParams.set('access_token', tokens.accessToken);
+      frontendUrl.searchParams.set('refresh_token', tokens.refreshToken);
 
-    /**
-     * 6. Redirect to Garage with tokens
-     */
-    const frontendUrl = new URL(finalReturnUrl, process.env.GARAGE_URL || 'http://localhost:3000');
-    frontendUrl.searchParams.set('access_token', tokens.accessToken);
-    frontendUrl.searchParams.set('refresh_token', tokens.refreshToken);
+      res.redirect(frontendUrl.toString());
+    } catch (error) {
+      /**
+       * Handle specific error types
+       */
+      if (error instanceof Error && error.message.includes('SAML')) {
+        console.error('SAML processing error:', {
+          workspaceId: req.params.workspaceId,
+          error: error.message,
+        });
+        res.status(400).json({ error: 'Invalid SAML response' });
+        return;
+      }
 
-    res.redirect(frontendUrl.toString());
+      console.error('ACS callback error:', {
+        workspaceId: req.params.workspaceId,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      });
+      res.status(500).json({ error: 'Failed to process SSO callback' });
+    }
   }
 
   /**

src/types/env.d.ts

@@ -38,5 +38,13 @@ declare namespace NodeJS {
      * @example "urn:hawk:tracker:saml"
      */
     SSO_SP_ENTITY_ID: string;
+
+    /**
+     * Redis connection URL
+     * Used for caching and TimeSeries data
+     *
+     * @example "redis://redis:6379" (Docker) or "redis://localhost:6379" (local)
+     */
+    REDIS_URL?: string;
   }
 }